[9.0] product_category_multicompany & POS session: product.category Access Error

Question

[9.0] product_category_multicompany & POS session: product.category Access Error

BzMB opened this issue 7 years ago · 0 comments

BzMB commented 7 years ago

Hi there,

Thanks for your work on product_category_multicompany

We potentially found a security issue on the module product_category_multicompany.

How to recreate:

install odoo with a multicompany scenario
create different product internal category
assign different company to the internal category
load a couple of products into the POS side and assign the correct POS category
install the product_category_multicompany
configure and load a POS session with a NON MAIN ADMIN user.

The loading will stop on product.product and raise the following access error:

(u'The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\\n\\n(Document type: product.category, Operation: read)', None)\n","exception_type":"access_error","message":"The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: product.category, Operation: read)\nNone","name":"openerp.exceptions.AccessError","arguments":["The requested operation cannot be completed due to security restrictions. Please contact your system administrator.\n\n(Document type: product.category, Operation: read)",null]}}

If you uninstall the product_category_multicompany module the POS session for the non admin user will load correctly.

Can you please try to recreate from your end and confirm it?

We are using the latest sourcecode from your repo and from Odoo cores.

Many thanks.